Happy New Year
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
AGREEMENT BY AND BETWEEN - Jack Henry & Associates, Inc.,
Monett, Missouri, a technology service provider to depository
institutions and their subsidiaries and affiliates, (“TSP”), and the
Comptroller of the Currency of the United States of America
(“Comptroller” or “OCC”), the Federal Deposit Insurance Corporation
(“FDIC”), and the Federal Reserve Bank of St. Louis (“Reserve Bank”)
(collectively “the Regulators”), wish to protect the interests of
the TSP’s depository institution clients', their depositors, and
- Experts discuss implications of massive Target breach - Retail
giant Target has yet to announce exactly how attackers compromised
its point-of-sale (POS) devices to steal roughly 40 million credit
and debit cards and CVV codes in two and a half weeks, but
researchers and security experts have already begun weighing in on
the implications of such a colossal breach.
- Code-busters lift RSA keys simply by listening to the noises a
computer makes - Computer scientists have shown how it might be
possible to capture RSA decryption keys using the sounds emitted by
a computer while it runs decryption routines.
- Another Massive Problem With U.S. Democracy: The FEC Is Broken -
As cash floods the political system, the federal watchdog is beset
with Chinese hackers, staff vacancies, feuding among commissioners,
and a huge backlog of cases - to name just a few.
- China's central bank hit in net attack - Bitcoin sign Bitcoins are
starting to be used to pay for real world goods and services - The
attack is thought to have been in retaliation for government action
to restrict trading in bitcoins.
- Senators call on FTC to investigate Target breach - The FTC should
have more authority to sanction victoms of data breaches, Senator
Richard Blumenthal says - A U.S. senator has called on the Federal
Trade Commission to investigate Target's security practices after
the large retailer reported a data breach affecting 40 million
customer credit and debit cards.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- POS attack enabled hackers to steal 40M card numbers from Target,
researchers say - Retail giant Target announced Thursday that it had
become the victim of a more than two-week-long attack that may have
compromised approximately 40 million credit and debit cards and CVV
codes, as well as customer names.
- Washington Post says attackers breached its servers - For the
second time in recent months, The Washington Post has experienced a
breach at the hands of cyber attackers.
- Unemployment recipients hit hard in JPMorgan Chase breach -
Roughly 20,000 unemployment insurance recipients in Texas are among
the 465,000 individuals who had prepaid cash cards compromised in
the breach of banking and financial services holding company
JPMorgan Chase, disclosed earlier this month, according to a San
Antonio Express report.
- Coding error compromises data for thousands in Washington state -
The state of Washington's Department of Social and Health Services'
Economic Services Administration (ESA) is notifying up to 7,000
clients that their personal information may have been compromised
after a coding error caused ESA letters to be mailed to old
- Affinity Casino Company Warns of Data Breaches - A Las Vegas
company that owns casinos in Nevada, Colorado, Iowa and Missouri
fell victim to a cyberattack earlier this year, compromising the
credit and debit card information of patrons at 11 sites, company
officials said Friday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the Official Staff Commentary (OSC,) an example
of a consumer's authorization that is not in the form of a signed
writing but is, instead, "similarly authenticated," is a consumer's
authorization via a home banking system. To satisfy the regulatory
requirements, the institution must have some means to identify the
consumer (such as a security code) and make a paper copy of the
authorization available (automatically or upon request). The text
of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses,
Attacks, and Offsetting Controls (Part 2 of 2)
Social engineering involves an attacker obtaining
authenticators by simply asking for them. For instance, the attacker
may masquerade as a legitimate user who needs a password reset, or a
contractor who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive, or using
other interpersonal skills, the attackers encourage a legitimate
user or other authorized person to give them authentication
credentials. Controls against these attacks involve strong
identification policies and employee training.
Client attacks are an area of vulnerability common to all
authentication mechanisms. Passwords, for instance, can be captured
by hardware - or software - based keystroke capture mechanisms. PKI
private keys could be captured or reverse - engineered from their
tokens. Protection against these attacks primarily consists of
physically securing the client systems, and, if a shared secret is
used, changing the secret on a frequency commensurate with risk.
While physically securing the client system is possible within areas
under the financial institution's control, client systems outside
the institution may not be similarly protected.
Replay attacks occur when an attacker eavesdrops and records the
authentication as it is communicated between a client and the
financial institution system, then later uses that recording to
establish a new session with the system and masquerade as the true
user. Protections against replay attacks include changing
cryptographic keys for each session, using dynamic passwords,
expiring sessions through the use of time stamps, expiring PKI
certificates based on dates or number of uses, and implementing
liveness tests for biometric systems.
is an attacker's use of an authenticated user's session to
communicate with system components. Controls against hijacking
include encryption of the user's session and the use of encrypted
cookies or other devices to authenticate each communication between
the client and the server.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
27. If each joint consumer may
opt out separately, does the institution permit:
a. one joint consumer to opt out on behalf of all of the joint
b. the joint consumers to notify the institution in a single
response; [§7(d)(5)] and
c. each joint consumer to opt out either for himself or herself,
and/or for another joint consumer? [§7(d)(5)]